Skip to content

Commit

Permalink
Merge pull request #33 from bytedance/add-new-built-in-rules
Browse files Browse the repository at this point in the history 
Add new built-in rules
  • Loading branch information
@Danny-Wei
Danny-Wei authored Feb 26, 2024
2 parents 08cefcf + f539509 commit c64d50d
Show file tree
Hide file tree
Showing 29 changed files with 310 additions and 68 deletions.
24 changes: 9 additions & 15 deletions .github/workflows/ci-alpha-build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,32 +40,26 @@ jobs:
with:
platforms: linux/amd64,linux/arm64/v8

- name: Set up llvm and apparmor
run: ./.github/scripts/toolchain.sh
- name: Run build
run: make docker-build-dev

- name: Package helm chart
run: make helm-package-dev

- name: Login to registry
run: echo "${{ secrets.PUSH_PASSWORD }}" | docker login -u=${{ secrets.PUSH_USERNAME }} elkeid-ap-southeast-1.cr.volces.com --password-stdin

- name: Push artifacts to registry
run: make push-dev

- name: Upload Helm Chart as Artifact
uses: actions/upload-artifact@v2
with:
name: helm-chart
path: varmor-*.tgz

- name: Run build
run: make docker-build-dev

- name: Login to Docker Hub
run: echo "${{ secrets.PUSH_PASSWORD }}"|docker login -u=${{ secrets.PUSH_USERNAME }} elkeid-ap-southeast-1.cr.volces.com --password-stdin


- name: Push image to registry
run: make push-dev

- id: SetVersion
run: echo "version=$(git describe --tags --match "v[0-9]*"| sed 's/^v//')">> "$GITHUB_OUTPUT"


run: echo "version=$(git describe --tags --match "v[0-9]*" | sed 's/^v//')">> "$GITHUB_OUTPUT"

deploy-and-basic-test:
needs: build
Expand Down
11 changes: 4 additions & 7 deletions .github/workflows/ci-release-build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,17 +29,14 @@ jobs:
with:
platforms: linux/amd64,linux/arm64/v8

- name: Set up llvm and apparmor
run: ./.github/scripts/toolchain.sh

- name: Run build
run: make docker-build

- name: Login to Docker Hub
run: echo "${{ secrets.RELEASE_PASSWORD }}"||docker login -u=${{ secrets.PUSH_USERNAME }} elkeid-cn-beijing.cr.volces.com --password-stdin

- name: Package helm chart
run: make helm-package

- name: Push image to registry
- name: Login to registry
run: echo "${{ secrets.RELEASE_PASSWORD }}"||docker login -u=${{ secrets.PUSH_USERNAME }} elkeid-ap-southeast-1.cr.volces.com --password-stdin

- name: Push artifacts to registry
run: make push
42 changes: 4 additions & 38 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,11 @@ GIT_VERSION := $(shell git describe --tags --match "v[0-9]*")
VARMOR_PATH := cmd/varmor
CLASSIFIER_PATH := cmd/classifier

REGISTRY ?= elkeid-cn-beijing.cr.volces.com
REGISTRY_AP ?= elkeid-ap-southeast-1.cr.volces.com
REGISTRY_DEV ?= elkeid-ap-southeast-1.cr.volces.com

NAMESPACE ?= varmor
NAMESPACE_DEV ?= varmor-test
REPO = $(REGISTRY)/$(NAMESPACE)
REPO_AP = $(REGISTRY_AP)/$(NAMESPACE)
REPO_DEV = $(REGISTRY_DEV)/$(NAMESPACE_DEV)

Expand All @@ -20,10 +18,8 @@ CLASSIFIER_IMAGE_NAME := classifier
CLASSIFIER_IMAGE_TAG := $(VARMOR_IMAGE_TAG)
CLASSIFIER_IMAGE_TAG_DEV := $(VARMOR_IMAGE_TAG_DEV)

VARMOR_IMAGE ?= $(REPO)/$(VARMOR_IMAGE_NAME):$(VARMOR_IMAGE_TAG)
VARMOR_IMAGE_AP ?= $(REPO_AP)/$(VARMOR_IMAGE_NAME):$(VARMOR_IMAGE_TAG)
VARMOR_IMAGE_DEV ?= $(REPO_DEV)/$(VARMOR_IMAGE_NAME):$(VARMOR_IMAGE_TAG_DEV)
CLASSIFIER_IMAGE ?= $(REPO)/$(CLASSIFIER_IMAGE_NAME):$(CLASSIFIER_IMAGE_TAG)
CLASSIFIER_IMAGE_AP ?= $(REPO_AP)/$(CLASSIFIER_IMAGE_NAME):$(CLASSIFIER_IMAGE_TAG)
CLASSIFIER_IMAGE_DEV ?= $(REPO_DEV)/$(CLASSIFIER_IMAGE_NAME):$(CLASSIFIER_IMAGE_TAG_DEV)

Expand Down Expand Up @@ -178,19 +174,19 @@ docker-build-dev: docker-build-varmor-amd64-dev docker-build-varmor-arm64-dev do

docker-build-varmor-amd64:
@echo "[+] Build varmor-amd64 image for release version"
@docker buildx build --file $(PWD)/$(VARMOR_PATH)/Dockerfile --tag $(VARMOR_IMAGE)-amd64 --platform linux/amd64 --build-arg TARGETPLATFORM="linux/amd64" --build-arg MAKECHECK="check" --load .
@docker buildx build --file $(PWD)/$(VARMOR_PATH)/Dockerfile --tag $(VARMOR_IMAGE_AP)-amd64 --platform linux/amd64 --build-arg TARGETPLATFORM="linux/amd64" --build-arg MAKECHECK="check" --load .

docker-build-varmor-arm64:
@echo "[+] Build varmor-arm64 image for the release version"
@docker buildx build --file $(PWD)/$(VARMOR_PATH)/Dockerfile --tag $(VARMOR_IMAGE)-arm64 --platform linux/arm64 --build-arg TARGETPLATFORM="linux/arm64" --build-arg MAKECHECK="check" --load .
@docker buildx build --file $(PWD)/$(VARMOR_PATH)/Dockerfile --tag $(VARMOR_IMAGE_AP)-arm64 --platform linux/arm64 --build-arg TARGETPLATFORM="linux/arm64" --build-arg MAKECHECK="check" --load .

docker-build-classifier-amd64:
@echo "[+] Build classifier-amd64 image for the release version"
@docker buildx build --file $(PWD)/$(CLASSIFIER_PATH)/Dockerfile --tag $(CLASSIFIER_IMAGE)-amd64 --platform linux/amd64 --load .
@docker buildx build --file $(PWD)/$(CLASSIFIER_PATH)/Dockerfile --tag $(CLASSIFIER_IMAGE_AP)-amd64 --platform linux/amd64 --load .

docker-build-classifier-arm64:
@echo "[+] Build classifier-arm64 image for the release version"
@docker buildx build --file $(PWD)/$(CLASSIFIER_PATH)/Dockerfile --tag $(CLASSIFIER_IMAGE)-arm64 --platform linux/arm64 --load .
@docker buildx build --file $(PWD)/$(CLASSIFIER_PATH)/Dockerfile --tag $(CLASSIFIER_IMAGE_AP)-arm64 --platform linux/arm64 --load .

docker-build-varmor-amd64-dev:
@echo "[+] Build varmor-amd64 image for the development version"
Expand Down Expand Up @@ -249,20 +245,6 @@ push-dev: ## Push images and chart to the private repository for development.


push: ## Push images and chart to the public repository for release.
docker push $(VARMOR_IMAGE)-amd64
@echo "----------------------------------------"
docker push $(VARMOR_IMAGE)-arm64
@echo "----------------------------------------"
-docker manifest rm $(VARMOR_IMAGE)
@echo "----------------------------------------"
docker manifest create $(VARMOR_IMAGE) $(VARMOR_IMAGE)-amd64 $(VARMOR_IMAGE)-arm64
@echo "----------------------------------------"
docker manifest push $(VARMOR_IMAGE)
@echo "----------------------------------------"
docker tag $(VARMOR_IMAGE)-amd64 $(VARMOR_IMAGE_AP)-amd64
@echo "----------------------------------------"
docker tag $(VARMOR_IMAGE)-arm64 $(VARMOR_IMAGE_AP)-arm64
@echo "----------------------------------------"
docker push $(VARMOR_IMAGE_AP)-amd64
@echo "----------------------------------------"
docker push $(VARMOR_IMAGE_AP)-arm64
Expand All @@ -273,20 +255,6 @@ push: ## Push images and chart to the public repository for release.
@echo "----------------------------------------"
docker manifest push $(VARMOR_IMAGE_AP)
@echo "----------------------------------------"
docker push $(CLASSIFIER_IMAGE)-amd64
@echo "----------------------------------------"
docker push $(CLASSIFIER_IMAGE)-arm64
@echo "----------------------------------------"
-docker manifest rm $(CLASSIFIER_IMAGE)
@echo "----------------------------------------"
docker manifest create $(CLASSIFIER_IMAGE) $(CLASSIFIER_IMAGE)-amd64 $(CLASSIFIER_IMAGE)-arm64
@echo "----------------------------------------"
docker manifest push $(CLASSIFIER_IMAGE)
@echo "----------------------------------------"
docker tag $(CLASSIFIER_IMAGE)-amd64 $(CLASSIFIER_IMAGE_AP)-amd64
@echo "----------------------------------------"
docker tag $(CLASSIFIER_IMAGE)-arm64 $(CLASSIFIER_IMAGE_AP)-arm64
@echo "----------------------------------------"
docker push $(CLASSIFIER_IMAGE_AP)-amd64
@echo "----------------------------------------"
docker push $(CLASSIFIER_IMAGE_AP)-arm64
Expand All @@ -297,6 +265,4 @@ push: ## Push images and chart to the public repository for release.
@echo "----------------------------------------"
docker manifest push $(CLASSIFIER_IMAGE_AP)
@echo "----------------------------------------"
helm push varmor-$(CHART_VERSION).tgz oci://$(REPO)
@echo "----------------------------------------"
helm push varmor-$(CHART_VERSION).tgz oci://$(REPO_AP)
8 changes: 4 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,15 +52,15 @@ For more information, please refer to [Policy Modes and Built-in Rules](docs/bui

### Step 1. Fetch chart
```
helm pull oci://elkeid-cn-beijing.cr.volces.com/varmor/varmor --version 0.5.6-rc
helm pull oci://elkeid-ap-southeast-1.cr.volces.com/varmor/varmor --version 0.5.6-rc
```

### Step 2. Install
*You can use the domain `elkeid-ap-southeast-1.cr.volces.com` outside of the CN region.*
*You can use the domain `elkeid-cn-beijing.cr.volces.com` inside of the CN region.*
```
helm install varmor varmor-0.5.6-rc.tgz \
--namespace varmor --create-namespace \
--set image.registry="elkeid-cn-beijing.cr.volces.com"
--set image.registry="elkeid-ap-southeast-1.cr.volces.com"
```

### Step 3. Try with this example
Expand Down Expand Up @@ -122,7 +122,7 @@ vArmor references part of the code of [kyverno](https://github.com/kyverno/kyver

## Demo
Below is a demonstration of using vArmor to harden a Deployment and defend against CVE-2021-22555. (The exploit is modified from [cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555))<br>
![image](test/demo/kernel-exp/CVE-2021-22555/demo.gif)
![image](test/demo/vulnerability-mitigation/CVE-2021-22555/demo.gif)


## 404Starlink
Expand Down
5 changes: 3 additions & 2 deletions README.zh_CN.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

**vArmor** 是一个云原生容器沙箱系统,它借助 Linux 的 [AppArmor LSM](https://en.wikipedia.org/wiki/AppArmor), [BPF LSM](https://docs.kernel.org/bpf/prog_lsm.html)[Seccomp](https://en.wikipedia.org/wiki/Seccomp) 技术实现强制访问控制器(即 enforcer),从而对容器进行安全加固。它可以用于增强容器隔离性、减少内核攻击面、增加容器逃逸或横行移动攻击的难度与成本。

你可以借助 vArmor 在以下场景对 Kubernetes 集群中的容器进行沙箱防护
您可以借助 vArmor 在以下场景对 Kubernetes 集群中的容器进行沙箱防护
* 业务场景存在多租户(多租户共享同一个集群),由于成本、技术条件等原因无法使用硬件虚拟化容器(如 Kata Container)
* 需要对关键的业务进行安全加固,增加攻击者权限提升、容器逃逸、横向渗透的难度与成本
* 当出现高危漏洞,但由于修复难度大、周期长等原因无法立即修复时,可以借助 vArmor 实施漏洞利用缓解(具体取决于漏洞类型或漏洞利用向量。缓解代表阻断利用向量、增加利用难度)
Expand Down Expand Up @@ -54,6 +54,7 @@ helm pull oci://elkeid-cn-beijing.cr.volces.com/varmor/varmor --version 0.5.6-rc
```

### Step 2. 安装
*您可以在非中国地区使用 elkeid-ap-southeast-1.cr.volces.com 域名*
```
helm install varmor varmor-0.5.6-rc.tgz \
--namespace varmor --create-namespace \
Expand Down Expand Up @@ -118,7 +119,7 @@ vArmor 在研发初期参考了 [Nirmata](https://nirmata.com/) 开发的 [kyver

## 演示
下面是一个使用 vArmor 对 Deployment 进行加固,防御 CVE-2021-22555 攻击的演示(Exploit 修改自 [cve-2021-22555](https://github.com/google/security-research/tree/master/pocs/linux/cve-2021-22555))。<br>
![image](test/demo/kernel-exp/CVE-2021-22555/demo.zh_CN.gif)
![image](test/demo/vulnerability-mitigation/CVE-2021-22555/demo.zh_CN.gif)


## 404星链计划
Expand Down
2 changes: 1 addition & 1 deletion cmd/varmor/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ LABEL maintainer="weiwei.danny@bytedance.com"
ARG MAKECHECK

RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y git python3-pip python3-dev swig bison flex dejagnu pyflakes3 autoconf libtool zlib1g-dev gettext gperf
RUN apt-get install -y git python3-pip python3-dev swig bison flex dejagnu pyflakes3 autoconf libtool zlib1g-dev gettext gperf autoconf-archive
RUN pip3 install notify2 psutil python-config

RUN git clone https://gitlab.com/apparmor/apparmor.git
Expand Down
Loading

0 comments on commit c64d50d

Please sign in to comment.